Facebook has confirmed to TechCrunch that it’s investigating the report, with the serious sounding exploit allegedly capable of hoovering up user data that includes name, gender, age, email address, location and potentially your profile photo.
How many websites might be affected by this problem? According to researchers at Princeton University, some 434 of the top million websites have the dodgy script which is pilfering Facebook user data.
The websites in question include MongoDB, and the vast majority of these sites probably aren’t aware of the issue with the ‘Login with Facebook’ feature. MongoDB certainly wasn’t aware, and after being informed by TechCrunch, it took action and shut the script down.
Facebook has issued a statement to say: “Scraping Facebook user data is in direct violation of our policies. While we are investigating this issue, we have taken immediate action by suspending the ability to link unique user IDs for specific applications to individual Facebook profile pages, and are working to institute additional authentication and rate limiting for Facebook Login profile picture requests.”
Of course, this comes at a bad time for Facebook, with its CEO Mark Zuckerberg being questioned by US Senators last week regarding allegations over the misuse of personal data by Cambridge Analytica – and wider concerns which have been raised about Facebook’s data collection policies in general.
Social login isn’t safe?
He added: “By Facebook allowing unencrypted information into the browser, private information is now available to anything running in that browser, whether that be other trackers, or malicious software (like malware that can conduct man-in-the-middle attacks).
“While open APIs create convenience, applications expected to interact with one another should be secured together. This can be accomplished first by securing the code (obfuscation and runtime protection against tampering) while adding mutual authentication of the applications themselves.”